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We present an algorithm to decide the intruder deduction problem (IDP) for a class of locally stable 
theories enriched with normal forms. Our result relies on a new and efficient algorithm to solve a re- 
stricted case of higher-order associative-commutative matching, obtained by combining the Distinct 
Occurrences of AC-matching algorithm and a standard algorithm to solve systems of linear Diophan- 
tine equations. A translation between natural deduction and sequent calculus allows us to use the 
same approach to decide the elementary deduction problem for locally stable theories. As an appli- 
cation, we model the theory of blind signatures and derive an algorithm to decide IDP in this context, 
extending previous decidability results. 



Introduction 

There are different approaches to model cryptographic protocols and to analyse their security proper- 
ties ifTTl . One technique consists of proving that an attack requires solving an algorithmically hard 
problem; another consists of using a process calculus, such as the spi-calculus [31, to represent the oper- 
ations performed by the participants and the attacker. In recent years, the deductive approach of Dolev 
and Yao ll20l . which abstracts from algorithmic details and models an attacker by a deduction system, has 
successfully shown the existence of flaws in well-known protocols. A deduction system under Dolev- 
Yao's approach specifies how the attacker can obtain new information from previous knowledge obtained 
either by eavesdropping the communication between honest protocol participants (in the case of a passive 
attacker), or by eavesdropping and fraudulently emitting messages (in the case of an active attacker). The 
intruder deduction problem (IDP) is the question of whether a passive eavesdropper can obtain a certain 
information from messages observed on the network. 

Abadi and Cortier's approach [1] proposes conditions for analysing message deducibility and indis- 
tinguishability relations for security protocols modelled in the applied pi-calculus O. In particular, (T) 
shows that IDP is decidable for locally stable theories. However, to ensure the soundness of this ap- 
proach, the definition of locally stable theories given in 0]] needs to be modified (as confirmed via per- 
sonal communication with the second author of 111). In this work, we made the necessary modifications 
and propose a new approach to solve IDP in the context of locally stable theories. 
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Our notion of locally stable theory is based on the existence of a finite and computable saturated set, 
but, unlike [1], our saturated sets include normal formsQ. The new approach we propose in order to prove 
the decidability of IDP is based on an algorithm to solve a restricted case of higher-order associative- 
commutative matching (AC-matching). To design this algorithm we use well-known results for solving 
systems of linear Diophantine equations (SLDE) Ill21ll51l22ll27l . which we combine with a polynomial 
algorithm to solve the DO- ACM problem (Distinct Occurrences of AC-Matching) 0. 

In the case where the signature of the equational theory contains, for each AC function symbol ®, 
its corresponding inverse /©, we obtain a decidability result which is polynomial with relation to the size 
of the saturated set (built from the initial knowledge of the intruder). Thanks to the use of the algorithm 
for solving SLDE over Z, we avoid an exponential time search over the solution space in the case of 
AC symbols (improving over 0], where an exponential number of possible combinations have to be 
considered). For more details we refer the reader to the extended version of this paper |0. 

After introducing the class of locally stable theories and proving the decidability of the IDP for 
protocols in this class, we show that the Elementary Deduction Problem (EDP) introduced in |[29l is also 
decidable in polynomial time with relation to the size of a saturated set of terms. EDP is stated as follows: 
given a set T of messages and a message M, is there an ^-context C[. . .] and messages Mi,... ,M* G T 
such that C[Mi, . . . ,Mk] M? Here, E is the equational theory modelling the protocol. We use this 
approach to model theories with blind signatures. As an application, using a previous result that links the 
decidability of the EDP to the decidability of the IDP when the theory E satisfies certain conditions, we 
obtain decidability of IDP for a subclass of locally stable theories combined with the theory B of blind 
signatures. In this way, we generalise a result from [fl] (Section 5.2.4): it is not necessary to prove that 
the combination of the theories E and B is locally stable. 

Related Work. The analysis of cryptographic protocols has attracted a lot of attention in the last 
years and several tools are available to try to identify possible attacks, see Maude-NPA [21], ProVerif ifTOll . 
CryptoVerif El, Avispa g], Yapa Q. 

Sequent calculus formulations of Dolev Yao intruders [28 1 have been used in a formulation of open 
bisimulation for the spi-calculus. In 11291 . deductive techniques for dealing with a protocol with blind 
signatures in mutually disjoint AC-convergent equational theories, containing a unique AC operator each, 
are considered. As an alternative approach, the intruder's deduction capability is modelled inside a 
sequent calculus modulo a rewriting system, following the approach of @- Then, the IDP is reduced in 
polynomial time to EDP. 

By combining the techniques in 11291 and |[T3ll . the IDP formulation for an Electronic Purse Protocol 
with blind signatures was proved to reduce in polynomial time to EDP for an AC-convergent theory 
containing three different AC operators and rules for exponentiation H2"6"l . extending the previous results. 
However, no algorithm was provided to decide EDP. More precisely, assuming that EDP is solved in time 
0(f(n)), it was proved that IDP reduces polynomially to EDP with complexity 0(n k x f{n)), for some 
constant k. Thus, whenever the former problem is polynomial, the IDP is also polynomial. 

Contributions. We present a technique to decide EDP or IDP in AC-convergent equational theories. 
Our approach is based on a "local stability" property inspired by [1], instead of proving that the deduction 
rules are "local" in the sense of ll25l as done in many previous works |[T3l[T6l[T9ll24l . More precisely, the 



With this simple modification, the correctness proof in j 1 1 can also be carried out, fixing a gap in Lemma 11. 
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main contributions of this paper are: 

• We adapt and refine the technique proposed in [fl]], where deducibility and indistinguishability rela- 
tions are claimed to be decidable in polynomial time for locally stable theories. First, we changed 
the definition of locally stable theories, adding normal forms, which are needed to carry out the 
decidability proofs. Second, we designed a new algorithm to decide IDP in locally stable theo- 
ries. The algorithm provided in [1 ] is polynomial for the class of subterm theories (Proposition 
10 in [ !]), but the proof does not extend directly to locally stable theories (despite the statement 
in Proposition 16). Our algorithm relies on solving a restricted case of higher-order AC-matching 
problem that is used to decide the deduction relation. It is a combination of two standard algo- 
rithms: one for solving the DO-ACM problem [8| which has a polynomial bound in our case; 
and one for solving systems of Linear Diophantine Equations (SLDE), which is polynomial in 
Z lfT2l[T5ll22ll27l . Using this algorithm we prove that IDP is decidable in polynomial time with 
respect to the saturated set of terms, for locally stable theories with inverses. 

• A decidability result for the EDP for locally stable theories, which extends the work of Tiu and 
Gore ll29l . As an application, we present a strategy to decide IDP for locally stable theories 
combined with blind signatures. Here, the combination of theories does not need to be locally 
stable. 

In order to get the polynomial decidability result claimed in [T| for locally stable theories, we had 
to restrict to theories that contain, for each AC symbol in the signature, the corresponding inverse. The 
inverses are necessary when we inteipret our term algebra inside the integers Z to solve SLDE (terms 
headed by the inverse function will be seen as negative integers). If the theory does not contain inverses, 
we would have to solve the SLDE for N which is a well known NP-complete problem. 

1 Preliminaries 

Standard rewriting notation and notions are used (e.g. ||6]). We assume the following sets: a countably 
infinite set N of names (we use a,b,c,m to denote names); a countably infinite set X of variables (we 
use x,y,z to denote variables); and a finite signature E, consisting of function names and their arities. We 
write arity(f) for the arity of a function /, and let ar(L) be the maximal arity of a function symbol in E. 
The set of terms is generated by the following grammar: 

M,N :=a\x\f(M u ...,M n ) 

where / ranges over the function symbols of E and n matches the arity of /, a denotes a name in N 
(representing principal names, nonces, keys, constants involved in the protocol, etc) and x a variable. We 
denote by V(M) the set of variables occurring in M. A message M is ground if V(M) = 0. The size \M\ 
of a term M is defined by \u\ = 1, if u is a name or a variable; and \f{M\ ,M n )\ = 1 + YH=\ 

The set of positions of a term M, denoted by &os(M), is defined by S^os(M) := {e}, if M is a name 
or a variable; and @>os{M) := {e} U ULi {*P I P G 3 9 os{M i )}, if M = f(M x ,M n ) where / 6 E. The 
position e is called the root position. The size of \M\ coincides with the cardinality of 3?os{M). The set 
of subterms of M is defined as st(M) = {M\ p \p G £Pos(M)}, where M\ p denotes the subterm of M at 
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position p. For a set T of terms, the notion of subterm can be extended as usual: st(F) := \J Mer st(M). 
For p G 2Pos(M), we denote by M[t] p the term that is obtained from M by replacing the subterm at 
position p by t. 

A term rewriting system (TRS) is a set £% of oriented equations over terms in a given signature. For 
terms s and t, s — >@ t denotes that s rewrites to t using an instance of a rewriting rule in The transitive, 
reflexive-transitive and equivalence closures of — are denoted by — and A^>, respectively. The 
equivalence closure of the rewriting relation, A^>, is denoted by 

Given a TRS ^ in which some function symbols are assumed to be AC, and two terms s and t, 
s — >:%<jac t if there exists w such that s =ac w and w t, where =ac denotes equality modulo AC 
(according to the AC assumption on function symbols). For eveiy term s, the set of normal forms s \,@ 
(closed modulo AC) of s is the set of terms t such that s —^^\jac t and t is irreducible for — K^uac- & is 
said to be AC-convergent whenever it is AC -terminating and AC-confluent. 

We equip the signature £ with an equational theory induced by a set of £-equations E, that is, 
is the smallest equivalence relation that contains E and is closed under substitutions and compatible 
with £-contexts. An equational theory is said to be equivalent to a TRS £% whenever = 
An equational theory is AC-convergent when it has an equivalent rewrite system Si which is AC- 
convergent. In the next sections, given an AC-convergent equational theory normal forms of terms 
are computed with respect to the TRS S% associated to unless otherwise specified. To simplify 
the notation we will denote by E the equational theory induced by the set of £-equations E. We will 
denote by Le the signature used in the set of equations E. The size ce of an equational theory E with an 
associated TRS M consisting of rules {Jl = \{h — > r,-} is defined as ce = max\<i<k{\li\, |r,|,ar(Z) + 1}. For 
M = 0, define c E = ar(L) + 1. 

Let □ be a new symbol which does not yet occur in £ UX. A L-context is a term t € r(£,XU 
{□}) and can be seen as a term with "holes", represented by □, in it. Contexts are denoted by C. If 
{pi,. ■ • ,p n } = {p£ S?os(C) \ C\ P = □}, where pi is to the left of pt + i in the tree representation of C, 
then C[T\ ... ,T n ] := C[7i] Pl . . . [T n ] Pn . In what follows a context formed using only function symbols in 
Le will be called an E-context to emphasize the equational theoiy E. 

A term M is said to be an E-alien if M is headed by a symbol / ^Le or a private name/constant. We 
write M == N to denote syntactic equality of ground terms. 

In the rest of the paper, we use signatures, terms and equational theories to model protocols. Mes- 
sages exchanged between participants of a protocol during its execution are represented by terms. Equa- 
tional theories and rewriting systems are used to model the cryptographic primitives in the protocol and 
the algebraic capabilities of an intruder. 



2 Deduction Problem 

Given a set T that represents the information available to an attacker, we may ask whether a given 
ground term M may be deduced from T using equational reasoning. This relation is written Y\- M and 
axiomatised in a natural deduction like system of inference rules. 
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Table 1: System jY\ a natural deduction system for intruder equational deduction 



MeT 

rhM 



(id) 



T\-Mi ... ThM, 
Thf(M u ...,M„) 



(//)/es £ 



rhM 



(k)M^ e N 



2.1 Locally Stable Theories 

Let © be an arbitrary function symbol in for an equational theory E. We write a -®M for the term 
M© . . . @M, a times (a € N). Given a set S of terms, we write sum®(S) for the set of arbitrary sums of 
terms in S, closed modulo AC: 



Define sum(S) = |jf = i sum®. (S), where ©i ,...,©£ are the AC-symbols of the theory. 
For a rule /->r£f and a substitution 6 such that 

• either there exists a term s\ such that s =ac s\, s\ =ac Id and t = rd; 

• or there exist terms s\ and S2 such that s =ac s \ © $2, ^i =ac 1® an d t =ac r ® © s 2- 
we write s \ t and say that the reduction occurs in the head. 

As in 12 we associate with each set T of messages, a set of subterms in Y that may be deduced from 
r by applying only "small" contexts. The concept of small is arbitrary — in the definition below, we 
have bound the size of an ^-context C by ce and the size of C' by c|, but other bounds may be suitable. 
Notice that limiting the size of an ^-context by ce makes the context big enough to be an instance of any 
of the rules in the TRS associated to E. 

Definition 1 (Locally Stable). An AC-convergent equational theory E is locally stable if, for every finite 
set r = {Mi,...,M n }, where the terms Mi are ground and in normal form, there exists a finite and 
computable set sat(T), closed modulo AC, such that 

1. Mi,...,M n esat(T); 

2. if Mi ,...,M k e sat(F) and f(M { ,M k ) G st(sat(F)) then f(M x ,M k ) € sat(T), for f € L E ; 

3. if C[S\, ■ ■ ■ ,Si] \m, where C is an E-context such that \C\ < ce, and Si,..., Si € sum® (sat (V)), 
for some AC symbol ffi, then there exist an E-context C , a term M', and terms S\,...,Si € 
sum® (sat (r)), such that \C'\ < c\, andM -^,<%uacM' =ac C'[S[,. . . ,S[]; 

4. ifM e sat(T) then M |G sat(F). 

5. ifM G sat(F) then ThM. 

Notice that the set sat (V) may not be unique. Any set sat (V) satisfying the five conditions is adequate 
for the results. 

Remark 1. The addition of rule 4 in the Definition\I}is necessary to prove case lb ofLemma\J\ where the 
rewriting reduction occurs in a term Mj G sat(T) in a position different from the "head". Normal forms 
are strictly necessary in the set sat(T), they are essential to lift the applications of rewriting rules in the 
head of "small" contexts to applications of rewriting rules in arbitrary positions of "small" contexts. 
With this additional condition, Lemma 11 in ftTH can also be proved. This fact was confirmed via personal 
communication with the second author o//[7]/. 



sum®(S) = {(«! •© 7i) © ...© (On - e T n ) \ a,- > 0, 7} E S} 
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The lemma and the corollary below, adapted from [T|, are used in the proof of Theorem |2] 
Lemma 1. Let E be a locally stable theory and T = {M\ ,.. . ,M„} a set of ground terms in normal form. 
For every E -context C\,for every Mi G sat (T), for every term T such that C\ [M\ ,.. . ,Mk\ -^^uac T, there 
exist an E-context C2, and terms M- G sat(T), such that T -^-^guAC Ci[M[ , . . . ,M',]. 

Proof. Suppose that C\ [Mi ,Mk] — >ac T, for an ^-context C\ and M,- G sat{T). The proof is divided 
in two cases: 

1. The reduction happens inside one of the terms Mf. 

(a) if Mi A Mj then by definition of sat(F) (since E is locally stable), there exist an £"-context C 
such that |C| < c| and M[ A C[Sy,. ..,5/] where Sj G sum (S (sat(r)). 

Each Sj G SM/ng^affT)) is of the form Sj = (cCi - e M ; -j)© . . . © (a n -®Mj n ), for M jk G sat(T). 
That is, Sj = C j [M jl ,M jk ], for 1 < j < I. Therefore, 

C l [M l ,...,M i ,---,Mk}^C 1 [M u ...,M' i ,---,Mk}^AcC 1 [M l ,...,C[S i ,...,S l ],...,Mk} 

= ac c 1 [m" 1 ,...,m'X 

where m" G sat(T), for 1 < t < s. 

(b) if Mj — >ac M'i in a position different from "head", then 

d [Mi, . . . ,Mi, ■ ■ ■ ,Mk] -> Q [Mi, . . . ,M'i, ■ ■ ■ ,Mk] A AC C 1 [M 1 ,... ,Mi I, • • • ,M k ]. 
By case 4 in Defmition[lJ Mj |G 5af(r). 

2. The case where the reduction does not occur inside the terms M,-: this case if very technical and 
will be omitted here. The complete proof can be found in the extended version of this paper. 

□ 

As a consequence we obtain the following Corollary: 
Corollary 1 ( HI). Let E be a locally stable theory. Let T = {Mi, . . . ,M n } be a set of ground terms 
in normal form. For every E-context C\, for every M- G sat(T), for every T in normal form such 
that Ci [M[, . . . ,M' k ] —tgguAC T, there exist an E-context C2 and terms Mj" G sat(T) such that T =ac 

c 2 [m;',...,m;']. 

Proof. The proof is the same as in m. □ 

In the following we show that any term M deducible from Y is equal modulo AC to an E -context 
over terms in ,ra?(r). 

Lemma 2 ( HI). Let E be a locally stable theory. Let T = {M\ , . . . ,M„} be a finite set of ground terms in 
normal form, and M be a ground term in normal form. Then T h M if and only if there exist an E-context 
C and terms M[ , . . . ,M| G sat(T) such that M = AC C[M V ... ,M' n ]. 

Proof. The proof is the same as in HI. □ 

As a consequence of the previous results decidability of IDP for locally stable theories is obtained: 
Theorem 1. The Intruder Deduction Problem is decidable for locally stable theories. 

In the next section we will provide a complexity bound for the decidability of the intruder deduction 
problem for a restricted case of locally stable theories. 
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3 Locally Stable Theories with Inverses 

In order to obtain the polynomial complexity bound of our decidability algorithm we will need to con- 
sider the existence of inverses for each AC symbol in the signature of our equational theory. Our al- 
gorithm will rely on solving systems of linear Diophantine equations over Z and the inverses will be 
interpreted as negative integers. 

(*) In the following results, let E be a locally stable theory whose signature contains, for each 
AC function symbol ffi, its corresponding inverse i®. 

That is, the following results are related to equational theories E containing the following equation: 

x®i B (x)=e (B (2) 

for each AC-symbol ffi in E#, where j® is the unary function symbol representing the inverse of ffi and 
is the corresponding neutral element. 

Definition 2 (Locally Stable with Inverses). An AC-convergent equational theory E satisfying (*) is 
locally stable if, for every finite set F = {M\ ,.. . ,M n }, where the terms Mj are ground and in normal 
form, there exists a finite and computable set sat(F), closed modulo AC, such that 

1. M\ , . . . ,M n <E sat(F), e e € sat (F) for each © G L E ; 

2. if Mi ,M k G sat(F) and f(M x , . . . ,M k ) 6 st(sat(F)) then f(M x ,M k ) <E sat(F), for f G E £ ; 

h 

3. if C\S\,. . . ,S/] — >■ M, where C is an E-context such that |C| < ce, and 5i, .. .,5/ € sum (S (sat(F)), 
for some AC symbol ffi, then there exist an E-context C, a term M', and terms S\,...,Si € 
sum (S (sat(F)), such that \C'\ < c\, andM ^t(%\jacM' =ac C'[S[,. . . ,S' k ]; 

4. ifM G sat(F) then M |G sat(F). 

5. ifM G sat(F) then /©(M) J.G sat (F) for each AC symbol © in E. 

6. ifM G sat(F) then FhM. 

Based on a well-founded ordering over the symbols in the language, we prove that a restricted 
case of higher-order AC-matching ("is there an ^-context C such that M =ac C[M\, . . . ,M k ] for some 
Mi, . . . ,M k € sat(F)7") can be solved in polynomial time in |.ra?(r)| and \M\. This AC-matching prob- 
lem is solved using the DO-ACM (Distinct-Occurrences of AC-matching) [8], where every variable in 
the term being matched occurs only once. In addition, we also use a standard and polynomial time 
algorithm for solving SLDE over Z Pfl5ll22ll27ll. 

To facilitate the description of the algorithm below we have considered only one AC-symbol ffi 
whose corresponding inverse will be denoted by i. The proof can be extended similarly for theories with 
multiple AC-symbols each one with its corresponding inverse. 

Lemma 3. Let E be a locally stable theory satisfying (*), F = {M\ , . . . ,M n } a finite set of ground mes- 
sages in normal form andM a ground term in normal form. Then the question of whether there exists an 
E-context C and T\,...,T k G sat (F) such that M =ac C[T\,...,T k ] is decidable in polynomial time in \M\ 
and \sat(F)\. 
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Proof. Given T, we construct the set sat(T) = {T\ , . . . , T s }, which is computable and finite by Defini- 
tion Q] We can then check whether M =\ c C\T\ , . . . , 7^] for some it-context C and terms T\ , . . . , 7^ G 
sat(F) using the following algorithm which is divided in its main component A), and procedures B) and 
C) for reducing linear Diophantine equations and selecting 7}'s from sat(F), respectively. 

A) Algorithm 1. 

1. For all positions p in M headed by ffi starting from the longest positions in decreasing order (po- 
sitions seen as sequences) solve the system of linear Diophantine equations (see part B below) for 
M\ p with sat (V) US, where S is built incrementally from sat(F), starting with So = 0, including all 
M\ p that have solutions. In other words: 

Let 8P' = {pi,. . . ,p t } be the set of positions of M such that M\ p is headed with ffi, organised in 
decreasing order. For each pj G let M\ Pj be the subterm of M such that 

M\ PJ =n h @...®n jkj C/ = l, ...,/) 

Recursively find, but suppressing step 1 in this recursive call, solutions for the arguments nj^ , n.j. 
of M\ Pj with n.j. m G {nj { ,nj k } with respective Ti-contexts Cj^ ,Cj it such that 

n hm = Cj im [Ti j • • • , T Sim ] 
where T q G sat (T) U S 7 _i , q = 1 , . . . , si m . 

Then one checks satisfiability of the SLDE generated fromM| P/ and sat{T) US 7 _i U {nj h ,nj ki } 
(see steps B and C). 

If there is a solution then Sj := S 7 _i U {n Jh , . . . ,nj k } U {M| P; } 

2. Let S : = S r . Classify the terms in sat (F) U S by size. 

3. For each term 7]- G sat(F) US (from terms of maximal size to terms of minimal size) check: 

• For each position q G &os(M) such that 7} =ac M\ q do 
Check whether the path between 7} and the root of M contains a ©: 

- if NOT, then delete M\ q from M and move to T i+ \. 

- if YES (there is a ffi) then M has a subterm iV such that N = n\ © . . . © n ; -[7]] © . . . © 
and ,/V cannot be constructed from ,ra?(r) US. Therefore, M cannot be written as an 
7i -context with terms from sat(F). 

4. Check whether the remaining part of M still contains 7s-aliens. If it is not the case, we have 
found an 7i-context C and terms Mi,... G satiT) and M =ac C[M\ ,M*]; otherwise such an 
7i-context does not exist. 

B) Reduction to linear Diophantine equations. 

First, notice that, for each position p such that M\ p is headed with © we have 

M\ p = a\m x ® ...®a r m r , 0Cj G N (3) 
where mj is not headed with © and CXjmj counts for m.j ffi ... ffi my. 

«,-— times 
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We want to prove that there are j3i , . . . , j3 9 G N such that 

j3i7i © . . . e fi q T q = AC M\ p = a x m x © ... © a r m r 

This AC-equality is only possible when 7} = 7i,mi © ... © 7 r! m r for each i, 1 < i < q < s and y 7 - G N. 
That is, j3i Ti © . . . © fi q T q = AC ctimi © . . . © a r m r if and only if 

Pi(Yh m i © • • • © 7n m r ) © p 2 (Yum © ... © 7r 2 »v) © • • • 

■ • • © Pq(Yl q m l © ••• © /r^r) = © ... © OI r m r 



(4) 



(5) 



if and only if 



if and only if 



(7i,j8i © Yi 2 p2 ••• © Yi q Pq) m i © (72,j8i © Y2 2 Pl ••• © 7>A) m 2 © • • • 

• • • (7n j8l © YnPl ••■ © Yr q $q)m r = ami © • ■ ■ © «r'"r 



f 7iij8i e 7i 2 /52 ■ - - © 7i jSa = «i 



(6) 



S= < 



72, j8l © 72202 . . . © Y2 a Pq = «2 



(7) 



, YnPi®YnP2---®Yr q Pq = a r 
where S is a system of linear Diophantine equations over Z which can be solved in polynomial time |[T2l 
ED|22l|27l. 

Remark 2. We will interpret the equations \3}and^\inside integer arithmetic. If there exists an index j 
such that nij = i(m'j) and m', is not headed with i then djiiij = (Xj(i(m'j)) and we will take it as (—Gtj)m'j. 
Therefore, we can take (Xj G Z, for all j. We can use the same reasoning to conclude that j3y G Z, for all 
1 < 7 < and Yjj G Z for all i and j. 

C) Selecting the Tjs from sat(F). 

For each 7]- G sat(T), 1 < i < s we want to check if 7]- = y\ i m\ © ... © Yn m r- 
Algorithm 2: 

For each 7} G sat(F), 1 < i < s, solve the equation 7} © Xj =ac ai^i © • • • © cc r m r where is a fresh 
variable. 

Since the T/s and M are ground terms, this equation can be seen as an instance of the DO-ACM 
matching problem which can be solved in time 0(\Tj ffix,-|.|M| p |) (8]. 

If there exists 7} G sat (F) such that 7} = Yi t m i © • • ■ © 7v m >- © M > where u is not empty, y? G N and the 
Algorithm 2 can no longer be applied then 7} will not be selected. 

Notice that each step of the algorithm can be done in polynomial time in \M\ and \sat(V) \. Therefore, 
the whole procedure is polynomial in \M\ and sat(F). □ 

Remark 3. For the proof we can adopt an ordering in which, for instance, variables are smaller than 
constants, constants smaller than function symbols, and function symbols are also ordered, but other 
suitable order can be used. Terms are compared by the associated lexicographical ordering built from 
this ordering on symbols. 
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Example 1 (Finite Abelian Groups). We consider the theory of Abelian Groups where the signature is 
Hag = {+> 0, i} for i the inverse function and + the AC group operator. The equational theory Eag is: 

= (x + y) + z „ \ ^ 

x + U = x i(i(xj) = x 

Eag={ x + y = y + x 

x + i{x) = i(0) = 

= 'W + 'W 

We define Mag by orienting the equations from left to right ( excluding the equations for associativity 
and commutativity). Mag is AC -convergent. The size ce ag of the theory is at least 5. In the following 
prove that Eag is locally stable with inverses for finite models, i.e., we define a set sat(T) satisfying the 
properties in the Definition^ For a given set T = {Mi, . . . ,Mt} of ground terms in normal form, satiT) 
is the smallest set such that: 

1. M\,... ,Mk G sat(T); 

2. Mi,... ,M k G sat(F) and /(Mi, . . . ,M k ) G st(sat(T)) then /(Mi, . . . ,M k ) G sat(T), f G H AG ; 

3. ifMi,Mj Gsat(F) and Mj+Mj \ M via rule x + i{x) — s> then M |G sat(F); 

4. ifMj G sat{Y) then i(Mj) |G sat(T); 

5. ifMj =ac Mj and Mi G sat(T) then Mj G sat(T). 

The set satiT) defined for Finite Abelian Groups is finite. 

Although it was said in |0Q] that the theory of Abelian Groups is locally stable, no proof of such fact 
was found in the literature. With the proviso that the Abelian Group under consideration is finite, we 
have demonstrated that |ra?(r)| is exponential in the size of 

These results give rise to the decidability of deduction for locally stable theories. Notice that poly- 
nomial! ty on |^a?(r) | relies on the use of the AC-matching algorithm proposed in Lemma [3] Unlike ID, 
we do not need to compute of the congruence class modulo AC of M (which may be exponential). This 
gives us a slightly different version of the decidability theorem: 

Theorem 2. Let E be a locally stable theory satisfying (*). IfT= {Mi ,M n } is a finite set of ground 
terms in normal form and M is a ground term in normal form, then T\- M is decidable in polynomial 
time in \M\ and \sat{T)\. 

Proof. The result follows directly from Lemmas [3] and |2] □ 

In the following example we consider the Pure AC-theory which can be proven to be locally stable 
but does not contain the inverse of the AC-symbol +. 

Example 2 (Pure AC Theory). Z^c contains only constant symbols, the AC-symbol © and the equational 
theory contains only the AC equations for ©: 

AC= | x®y=y®x x© (y®z) = {x®y) ®Z } 

In this case, E = AC and M = is the AC-convergent TRS associated to E. Let T = {Mi ,M k } be a 
finite set of ground terms in normal form. Let us define sat (T) for the pure AC theory as the smallest set 
such that 
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1. Mi,...,M k esat(F); 

2. ifM u Mj G sat(T) and Mi © Mj G st(sat(T)) then M,- ©M,- G sat(T). 

3. if Mi =ac Mj and Mi G sat(T) then Mj G sat(T). 

The set sat(T) is finite since we add only terms whose size is smaller or equal than the maximal size of 
the terms in T. It is easy to see that the set sat(T) satisfies the rules \l\2\ \4\and\5\ Since & = it follows 
that\3\is also satisfied. Therefore, AC is locally stable. 
The size of sat(T): 

• Steps 1 and 2: only subterms in sat(T) are added. 

• Step 3: for each Mi G sat(T) add Mj =ac Mi G sat(T). Notice that the number of terms added in 
satiT), in this case, depends on the number of occurrences of® in Mj. Suppose that Mi contains n 
occurrences of ©: 

Mi = M h @...®M in+{ . 
There are (n + 1 ) ! terms Mj such that M\ =ac Mj. 

Suppose that each Mi inT contains nt occurrences of ®.Then, |M,-| = V |M^|+n,-. Letn = maxi <;<£-{«;}. 

7=1 

k 

There exists an index r such that M r contains n r = n occurrences of ©. Since \T\ = V" |M,-| it follows 

i=l 

n+1 k 

that n < \M r \ — \\ \M rj \ < \T\. Then the number of terms added in step 3 is ) + 1) ! < (n + 1) ! ■ k < 

7=1 ' i=l 

(|r| + i)!-L 

Remark 4. In this case one can adapt Lemma such that the algorithm would rely on solving systems 
of linear Diophantine equations over N which is NP -complete H27\l . Therefore, the complexity oflDPfor 
pure AC would be exponential, agreeing with previous results H23\l . 



4 Elementary Deduction Problem for Locally Stable Theories 

To establish necessary concepts for the next results, we recall the well-known translation between natural 
deduction and sequent calculus systems to model the IDP as a proof search in sequent calculus, whose 
properties (such as cut or subformula) facilitate the study of decidability of deductive systems. For an 
AC-convergent equational theory E, the System JV in Table[T]is equivalent to the (/<i)-rule of the sequent 
calculus (Table |2]) introduced in |29l : 

Mai E C[M u ...,M k ] 

C[ ] an E-context, and Mi , . . . ,M k G T 

TFm {ld) 

Consequently, IDP for System ,jV is equivalent to the Elementary Deduction Problem: 

Definition 3. Given an AC-convergent equational theory E and a sequent T h M ground and in normal 
form, the elementary deduction problem (EDP)forE, written T I he M, is the problem of deciding whether 
the (id)-rule is applicable in T\- M. 
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The theorem below decides EDP for locally stable theories : 

Theorem 3. Let E be a locally stable equational theory satisfying (*). Let F h M be a ground sequent in 
normal form. The elementary deduction problem for the theory E (T We M) is decidable in polynomial 
time in \sat{T) \ and \M\. 

Proof. By Lemma[3l the problem whether M =ac C [M\ , . . . , M*] for an is-context C and terms Mi,..., G 
sat(F) is decidable in polynomial time in \sat(T) j and \M\. If M =ac C[M\ ,Mk] for an Zs-context C 
and terms Mi,... G sat(T) then there exist an ^-context C and terms M[,... ,M' n G T such that 
C[M[ ,.. . ,M' n ] —>-<%{jac M. It is enough to observe that for all T G sat(T), T can be constructed from the 
terms in T. 

If there is no E-context C and terms M\,...,Mk G sat{Y) such that M =ac C[M\,. . . ,M^\ then, by 
Corollary [T] there are no E-context and terms M[,...,M' t G sat{T) such that C[M[,... ,M' t ] A^ UA c Af. 
Therefore, there is no ^-context C" and terms M", . . . ,M'/ G T such that C"[M", . . . ,M'/\ A,^ UAC M. 
Thus, the EDP for E is decidable in polynomial time in \sat{T) \ and \M\. □ 

4.1 Extension with Blind Signatures 

Blind signature is a basic cryptographic primitive in e-cash. This concept was introduced by David 
Chaum in [14] to allow a bank (or anyone) sign messages without seeing them. David Chaum's idea 
was to use this homomorphic property in such a way that Alice can multiply the original message with 
a random (encrypted) factor that will make the resulting image meaningless to the Bank. If the Bank 
agrees to sign this random-looking data and return it to Alice, she is able to divide out the blinding factor 
such that the Bank's signature in the original message will appear. 

Given a locally stable equational theory E, we extend the signature Le with Lc, a set containing 
function symbols for "constructors" for blind signatures, in order to obtain decidability results for the 
extension of the IDP for System JV taking into account some rules for blind signatures. 

Extended Syntax 

The signature £ consists of function symbols and is defined by the union of two sets: E = Zc U ~Le ( with 
£ E n L c = 0), where 

I c = {pub(_),sign(_,_),blind(_, _),{_}., <-,->} 

represents the constructors, whose interpretations are: pub(M) gives the public key generated from a 
private key M; blind(M,Af) gives M encrypted with ,/V using blinding encryption; s\gn(M,N) gives M 
signed with a private key A^; {M} N gives M encrypted with the key N using Dolev-Yao symmetric 
encryption; (M,N) constructs a pair of terms from M and N. Then the extended grammar of the set of 
terms or messages is given as 

M,N := a \ x \ f(Mi, . . . ,M n )\pub(M)\s\gn(M,N)\b\\nd(M ,N)\{M} N \{M,N) 

Notice that, with the extension an E-ahen term M is a term headed with / G £c or M is a private 
name/constant. An fi-alien subterm M of Af is said to be an E-factor of Af if there is another subterm F 
of N such that M is an immediate subterm of F and F is headed by a symbol / G Eg. This notion can 
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be extended to sets in the obvious way: a term M is an E-f actor of T if it is an E-f actor of a term in F. 
These notions were introduced in ||29l . 

The operational meaning of each constructor will be defined by their corresponding inference rules 
in the sequent calculus to be described. 



Extending the EDP to Model Blind Signatures 



Following the approach proposed in [[29], we extend EDP with blind signatures using the sequent calculus 
y described in Table [2] In this way, we can model intruder deduction for the combination of a locally 
stable theory E with blind signatures in a modular way: the theory E is used in the id rule, while 
blind signatures are modelled with additional deduction rules. As shown below, this approach has the 
advantage that we can derive decidability results for the intruder deduction problem without needing to 
prove that the combined theory is locally stable (in contrast with the results in the previous section and 
in 111). 

Table 2: System : Sequent Calculus for the Intruder 

C[]anE-context,Mi,...,M t er _L_^ 1 ' M h 1 (cut) 

(id) r h T 



r, (m,n) ,m,n \- t rhM rhjv , , 

■ (pi) — F~crn \t\ — (p r) 



r, (m,n) h t ' r h (M,N) 

ThM FhK , , F, {M} K h K r,{M} K ,M,KhN 

r^{M} K {eR) F{m} k ^n {eL) 

rhM r ^ (sign,) (blind,) 



Ths\gn(M,K) ° Thb\\nd{M,K 
r,sign(M,£), pub(L) 7 MhN 



(sign L )AT = AC L 

1 (blind^) 

' S'l /? I — TV 

(Hindi,) 



r,sign(M,£), pub(L) hJV 

r,b\md(M,K)\- K F,bUnd(M,K),M,K h N 
F,b\\nd(M,K)\-N 

F,s\gn(b\\nd(M,R),K)\-R F,s\gn(b\\nd(M,R),K),s\gn(M,K),R\- N 
r,sign(blind(M,/f),A') HV 

rhA r,A hM 

— ' (flCMf ), A is an £-factor of T U {Mj 



Analysing the system one can make the following observations: 

1. The rules /?£,e£,sign L ,blindz,i, blind^ and acut are called left rules with (M,N), {M}k, s\gn(M,K), 
blind(M,^T), sign(blind((M,i?),^r) and A as principal term, respectively. The rules pr,cr, s\gn R 
and blinds are called right rules. 
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2. The rule (acut), called analytic cut is necessary to prove cut rule admissibility. A complete proof 
can be found in l26ll29l . 
Remark 5. Considerations about locally stable theories with blind signatures: 

1. All the results proved on Section\2\are valid under this extension with blind signatures since the 
results depend only on the equational theory E and on the symbols in Eg. Unlike example 5.2.4 KTJjl, 
the theory of Blind Signatures is not considered as part of the equational theory, the functions 
are abstracted in the set of constructors with the operational meaning represented in the sequent 
calculus. 

2. In H29V it is shown that the intruder deduction problem for is polynomially reducible to the 
EDP for E: if the EDP problem in E has complexity f(m) then the deduction problem r h M in 
y has complexity 0(n k .f(n)) for some constant ^ This result was proved for an AC-convergent 
equational theory E containing only one AC symbol and extended to finite a combination of disjoint 
AC-convergent equational theories each one containing only one AC-symbol. 

3. In [26], it was proved that deduction in <!? reduces polynomially to EDP in the case of the AC- 
convergent equational theory EP, which contains three different AC-symbols and rules for expo- 
nentiation and cannot be split into disjoint parts. 

As a consequence of the results mentioned in the above remark, we can state the following result: 
Corollary 2. Let E be a locally stable theory satisfying (*) containing only one AC-symbol or formed by 
a finite and disjoint combination of AC-symbols. Let T a finite set of ground terms in normal form and 
M a ground term in normal form. The LDP for the theory E combined with blind signatures (T h M) is 
decidable in polynomial time in \sat{T) \ and \M\. 

5 Conclusion 

We have shown that the IDP is decidable for locally stable theories. In order to obtain the polynomiality 
result, a restriction on the equational theory is necessary: the theory must contain inverses of all AC- 
symbols. We have proposed an algorithm to solve a restricted case of higher-order AC-matching by using 
the DO-ACM matching algorithm combined with an algorithm to solve linear Diophantine equations over 
Z. Based on this algorithm, we obtain a polynomial decidability result for IDP for a class of locally stable 
theories with inverses. Our algorithm does not need to compute the set of normal forms modulo AC of 
a given term (which may be exponential). Therefore, we can conclude that the deducibility relation is 
decidable in polynomial time for a very restricted class of equational theories, it does not work for all 
locally stable theories as HI has claimed. It also decides the IDP for the combination of locally stable 
theories with the theory of blind signatures, using a translation between natural deduction and sequent 
calculus. 
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